Permissions for @turbot/aws-iam
Taking a look at permissions and associated grant levels for each permission for IAM:
Permission | Grant Level | Help |
---|---|---|
access-analyzer:ApplyArchiveRule | Owner | |
access-analyzer:CancelPolicyGeneration | Owner | |
access-analyzer:CreateAccessPreview | Owner | |
access-analyzer:CreateAnalyzer | Owner | |
access-analyzer:CreateArchiveRule | Owner | |
access-analyzer:DeleteAnalyzer | Owner | |
access-analyzer:DeleteArchiveRule | Owner | |
access-analyzer:GetAccessPreview | Metadata | |
access-analyzer:GetAnalyzedResource | Metadata | |
access-analyzer:GetAnalyzer | Metadata | |
access-analyzer:GetArchiveRule | Metadata | |
access-analyzer:GetFinding | Metadata | |
access-analyzer:GetGeneratedPolicy | Metadata | |
access-analyzer:ListAccessPreviewFindings | Metadata | |
access-analyzer:ListAccessPreviews | Metadata | |
access-analyzer:ListAnalyzedResources | Metadata | |
access-analyzer:ListAnalyzers | Metadata | |
access-analyzer:ListArchiveRules | Metadata | |
access-analyzer:ListFindings | Metadata | |
access-analyzer:ListPolicyGenerations | Metadata | |
access-analyzer:ListTagsForResource | Metadata | |
access-analyzer:StartPolicyGeneration | Owner | |
access-analyzer:StartResourceScan | Owner | |
access-analyzer:TagResource | Operator | |
access-analyzer:UntagResource | Operator | |
access-analyzer:UpdateArchiveRule | Owner | |
access-analyzer:UpdateFindings | Owner | |
access-analyzer:ValidatePolicy | Operator | |
iam:AddClientIDToOpenIDConnectProvider | None | OpenID is not used in Guardrails accounts. |
iam:AddRoleToInstanceProfile | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:AddUserToGroup | Owner | Owners can manage custom groups. Management of Guardrails groups is explicitly denied. |
iam:AttachGroupPolicy | Owner | Owners can manage custom groups. Management of Guardrails groups is explicitly denied. |
iam:AttachRolePolicy | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:AttachUserPolicy | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:ChangePassword | None | Users are not allowed to change their own password. Owners may change passwords for users through *LoginProfile permissions. |
iam:CreateAccessKey | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:CreateAccountAlias | Owner | Owners can manage the AWS account alias. |
iam:CreateGroup | Owner | Owners can manage custom groups. Management of Guardrails groups is explicitly denied. |
iam:CreateInstanceProfile | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:CreateLoginProfile | Whitelist | Optionally Owners can create passwords for custom users. Management of Guardrails users is explicitly denied. |
iam:CreateOpenIDConnectProvider | None | OpenID is not used in Guardrails accounts. |
iam:CreatePolicy | Owner | Owners can manage custom policies. Management of Guardrails policies is explicitly denied. |
iam:CreatePolicyVersion | Owner | Owners can manage custom policies. Management of Guardrails policies is explicitly denied. |
iam:CreateRole | Owner | Owners can create custom roles. |
iam:CreateSAMLProvider | Owner | SAML is not used in Guardrails accounts. |
iam:CreateServiceLinkedRole | Owner | Owner can manage service-linked roles. |
iam:CreateServiceSpecificCredential | Owner | |
iam:CreateUser | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:CreateVirtualMFADevice | Owner | Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied. |
iam:DeactivateMFADevice | Owner | Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied. |
iam:DeleteAccessKey | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:DeleteAccountAlias | Owner | Owners can manage the AWS account alias. |
iam:DeleteAccountPasswordPolicy | Owner | |
iam:DeleteGroup | Owner | Owners can manage custom groups. Management of Guardrails groups is explicitly denied. |
iam:DeleteGroupPolicy | Owner | Owners can manage custom groups. Management of Guardrails groups is explicitly denied. |
iam:DeleteInstanceProfile | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:DeleteLoginProfile | Whitelist | Optionally Owners can manage passwords for custom users. Management of Guardrails users is explicitly denied. Deletion of the login profile is always allowed so user deletion in the IAM console works. |
iam:DeleteOpenIDConnectProvider | None | OpenID is not used in Guardrails accounts. |
iam:DeletePolicy | Owner | Owners can manage custom policies. Management of Guardrails policies is explicitly denied. |
iam:DeletePolicyVersion | Owner | Owners can manage custom policies. Management of Guardrails policies is explicitly denied. |
iam:DeleteRole | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:DeleteRolePermissionsBoundary | Owner | Owners can delete permission boundary. |
iam:DeleteRolePolicy | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:DeleteSAMLProvider | Owner | SAML is not used in Guardrails accounts. |
iam:DeleteSSHPublicKey | Owner | Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit). |
iam:DeleteServerCertificate | Owner | Owners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB). |
iam:DeleteServiceLinkedRole | Owner | |
iam:DeleteServiceSpecificCredential | Owner | |
iam:DeleteSigningCertificate | None | SOAP is deprecated by AWS and not supported by Guardrails. |
iam:DeleteUser | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:DeleteUserPermissionsBoundary | Owner | |
iam:DeleteUserPermissionsBoundary | Owner | Owners can delete permission boundary. |
iam:DeleteUserPolicy | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:DeleteVirtualMFADevice | Owner | Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied. |
iam:DetachGroupPolicy | Owner | Owners can manage custom groups. Management of Guardrails groups is explicitly denied. |
iam:DetachRolePolicy | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:DetachUserPolicy | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:EnableMFADevice | Owner | Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied. |
iam:GenerateCredentialReport | Metadata | |
iam:GenerateOrganizationsAccessReport | Owner | |
iam:GenerateServiceLastAccessedDetails | Metadata | |
iam:GetAccessKeyLastUsed | Metadata | |
iam:GetAccountAuthorizationDetails | Metadata | |
iam:GetAccountPasswordPolicy | Metadata | |
iam:GetAccountSummary | Metadata | |
iam:GetContextKeysForCustomPolicy | Metadata | |
iam:GetContextKeysForPrincipalPolicy | Metadata | |
iam:GetCredentialReport | Metadata | |
iam:GetGroup | Metadata | |
iam:GetGroupPolicy | Metadata | |
iam:GetInstanceProfile | Metadata | |
iam:GetLoginProfile | Metadata | |
iam:GetOpenIDConnectProvider | Metadata | |
iam:GetOrganizationsAccessReport | Metadata | |
iam:GetPolicy | Metadata | |
iam:GetPolicyVersion | Metadata | |
iam:GetRole | Metadata | |
iam:GetRolePolicy | Metadata | |
iam:GetSAMLProvider | Metadata | |
iam:GetSSHPublicKey | Metadata | |
iam:GetServerCertificate | Metadata | |
iam:GetServiceLastAccessedDetails | Metadata | |
iam:GetServiceLastAccessedDetailsWithEntities | Metadata | |
iam:GetServiceLinkedRoleDeletionStatus | Metadata | |
iam:GetUser | Metadata | |
iam:GetUserPolicy | Metadata | |
iam:ListAccessKeys | Metadata | |
iam:ListAccountAliases | Metadata | |
iam:ListAttachedGroupPolicies | Metadata | |
iam:ListAttachedRolePolicies | Metadata | |
iam:ListAttachedUserPolicies | Metadata | |
iam:ListEntitiesForPolicy | Metadata | |
iam:ListGroupPolicies | Metadata | |
iam:ListGroups | Metadata | |
iam:ListGroupsForUser | Metadata | |
iam:ListInstanceProfileTags | Metadata | |
iam:ListInstanceProfiles | Metadata | |
iam:ListInstanceProfilesForRole | Metadata | |
iam:ListMFADeviceTags | Metadata | |
iam:ListMFADevices | Metadata | |
iam:ListOpenIDConnectProviderTags | Metadata | |
iam:ListOpenIDConnectProviders | Metadata | |
iam:ListPolicies | Metadata | |
iam:ListPoliciesGrantingServiceAccess | Metadata | |
iam:ListPolicyTags | Metadata | |
iam:ListPolicyVersions | Metadata | |
iam:ListRolePolicies | Metadata | |
iam:ListRoleTags | Metadata | Lists the tags on an IAM user. |
iam:ListRoles | Metadata | |
iam:ListSAMLProviderTags | Metadata | |
iam:ListSAMLProviders | Metadata | |
iam:ListSSHPublicKeys | Metadata | |
iam:ListServerCertificateTags | Metadata | |
iam:ListServerCertificates | Metadata | |
iam:ListServiceSpecificCredentials | Metadata | |
iam:ListSigningCertificates | Metadata | |
iam:ListUserPolicies | Metadata | |
iam:ListUserTags | Metadata | Lists the tags on an IAM role. |
iam:ListUsers | Metadata | |
iam:ListVirtualMFADevices | Metadata | |
iam:PassRole | Owner | Owner needs PassRole to allow creation of IAM roles for EC2. This also whitelists it for others to be granted specifically by services. PassRole for Guardrails roles is explicitly denied. |
iam:PutGroupPolicy | Owner | Owners can manage custom groups. Management of Guardrails groups is explicitly denied. |
iam:PutRolePermissionsBoundary | Owner | Owners can add permission boundary. |
iam:PutRolePolicy | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:PutUserPermissionsBoundary | Owner | Owners can add permission boundary. |
iam:PutUserPolicy | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:RemoveClientIDFromOpenIDConnectProvider | None | OpenID is not used in Guardrails accounts. |
iam:RemoveRoleFromInstanceProfile | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:RemoveUserFromGroup | Owner | Owners can manage custom groups. Management of Guardrails groups is explicitly denied. |
iam:ResetServiceSpecificCredential | Owner | |
iam:ResyncMFADevice | Owner | Owners can manage MFA for custom users. Management of Guardrails users is explicitly denied. |
iam:SetDefaultPolicyVersion | Owner | Owners can manage custom policies. Management of Guardrails policies is explicitly denied. |
iam:SetSecurityTokenServicePreferences | Owner | |
iam:SimulateCustomPolicy | Metadata | Allow users to simulate and investigate IAM permssions. This does allow access to view permissions of other users. |
iam:SimulatePrincipalPolicy | Metadata | Allow users to simulate and investigate IAM permssions. This does allow access to view permissions of other users. |
iam:TagInstanceProfile | Operator | |
iam:TagMFADevice | Operator | |
iam:TagOpenIDConnectProvider | Operator | |
iam:TagPolicy | Operator | |
iam:TagRole | Operator | Creates or modifies the tags on an IAM user. |
iam:TagSAMLProvider | Operator | |
iam:TagServerCertificate | Operator | |
iam:TagUser | Operator | Creates or modifies the tags on an IAM role. |
iam:UntagInstanceProfile | Operator | |
iam:UntagMFADevice | Operator | |
iam:UntagOpenIDConnectProvider | Operator | |
iam:UntagPolicy | Operator | |
iam:UntagRole | Operator | Removes the tags on an IAM user. |
iam:UntagSAMLProvider | Operator | |
iam:UntagServerCertificate | Operator | |
iam:UntagUser | Operator | Removes the tags on an IAM role. |
iam:UpdateAccessKey | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:UpdateAccountPasswordPolicy | Owner | |
iam:UpdateAssumeRolePolicy | Owner | Owners can manage custom roles. Management of Guardrails roles is explicitly denied. |
iam:UpdateGroup | Owner | Owners can manage custom groups. Management of Guardrails groups is explicitly denied. |
iam:UpdateLoginProfile | Whitelist | Optionally Owners can change passwords for custom users. Guardrails users are explicitly denied from managing passwords. |
iam:UpdateOpenIDConnectProviderThumbprint | None | OpenID is not used in Guardrails accounts. |
iam:UpdateRole | Owner | Updates the description or maximum session duration setting of a role. |
iam:UpdateRoleDescription | Owner | Owners can modify the description of a role. |
iam:UpdateSAMLProvider | Owner | SAML is not used in Guardrails accounts. |
iam:UpdateSSHPublicKey | Owner | Owners can manage SSH public keys. Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit). |
iam:UpdateServerCertificate | Owner | Owners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB). |
iam:UpdateServiceSpecificCredential | Owner | |
iam:UpdateSigningCertificate | None | SOAP is deprecated by AWS and not supported by Guardrails. |
iam:UpdateUser | Whitelist | Owners can manage custom users. Management of Guardrails users is explicitly denied. |
iam:UploadSSHPublicKey | Owner | Owners can manage SSH public keys. Users may be granted permission to manage SSH public keys by other services (e.g. CodeCommit). |
iam:UploadServerCertificate | Owner | Owners can manage server certificates. Users are also granted permission to manage server certs by other services (e.g. ELB). |
iam:UploadSigningCertificate | None | SOAP is deprecated by AWS and not supported by Guardrails. |
organizations:DescribeOrganization | Metadata | |
sts:AssumeRole | Operator | Assuming Guardrails roles (determined by path) is explicitly denied. |
sts:AssumeRoleWithSAML | Operator | Assuming Guardrails roles (determined by path) is explicitly denied. |
sts:AssumeRoleWithWebIdentity | Operator | Assuming Guardrails roles (determined by path) is explicitly denied. |
sts:DecodeAuthorizationMessage | Metadata | Users with access to Metadata are granted the ability to decode any authorization failure messages they receive. This aids troubleshooting and is appropriate given they already have access at a Metadata level. |